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(54) Method and apparatus for secure electronic voting 

(57) A number-theoretic based algorithm provides 
for secure electronic voting. A voter may cast a votes 
among n centers in a manner which prevents fraud and 
authenticates the votes. Preprocessing allows for nearly 
all of the communication and computation to be per- 
formed before any voting takes place. Each center can 
verify that each vote has been properly counted. The 
algorithm is based on families of homomorphic encryp- 
tions which have a partial compatbility property. The 
invention can be realized by current-generation PCs with 
access to an electronic bulletin board. 



(In ta* faDowisx dwcriptioa, i raaft* om I, . . j nag/a 

over I m, a*d k raagea over li« ndirn of all valid fOLit 

1. Th» »oUcoaflt*T». Ci. £:».••■. C. *cn*<» » rindocdy •tfecUd fan* of 

partial? cotnpaiiak ucrrption faction, {E,} aad port ta«n». 

J. E-ri Wo V, rxaeWy cboon • loasiias «gu b *tj € 11.-1} aad 
tin rudoaly cfeocro t«o ffprrarnutioa* for nj, 

•Ki « </+ *£+ ■ ' + - *o + 

Tka wifar porta A(X «), MVi) 
1. K k nrcutct tte radaclioa dooribed ta coojjwctioo vftfc «q. (l) aadob- 



tquaBfr cf wlto faapfio thai lanfrrca ww ttpw cat i t io M of maddag 
vote a^ an *qu) far all j. V 4 tbn prow tat mBdity of tW tqaotioa 



4. V* cnritrs protocol pn»at±l to aaov laat >**j + A.,* t {1,-1} far aD 

5. V h noTpU win* C,*a poWc eacrrptioo algorithm, far aD j aad »\ 
ud pasta tatesoypUeo*. 



1. T»tMts«/tkwot«.«otcr*toa9«us>4j € (-1,1) rat* taai U» actaal 
«oW b tonal to a*j«*j, aad porta j a*d nj. Note thai oftca / b kaooni 
aad lis* ami aol be on*. Assam laal ta* cornel > far cars *gur b 
fcaowt, asd aacaferth drop j boo tita socatioa. 



I. Eaca cotter C, dacrrpu Xj'* for aD * aad j, aad verifta whether it b 
oaubtnt f^^ 4 )- Tb« cntar cak alato la* nbtalfr lW = Lf 
X*° aad port* !<■>. 

1. Each pnua caaefciag tb» Wta wrifirs thai 

£(!'•>). If «o, tb#y impt E^fM *t th. tally o/lk. ■«*•- 

If pftranptuiioa ta mi ml, [Wi a^ cu b* aat4 at tfca actul nu and 
it ouitud. 



CM 

< 

CO 

o> 

CD 
O 

Q. 
LU 



Primed by Rank Xerox (UK) Business Services 
2.9.9/3 •* 



EP0 697 776 A2 



Description 

The present invention relates to method and apparatus useful for secure electronic voting and specifically, to number- 
theoretic based algorithms for secure electronic voting. Quite specifically, the algorithms are based on families of homo- 

5 morphic encryptions having a partial compatibility property. 

Secure electronic voting is one of the most important single applications of secure multi-party computation. Yet 
despite extensive work on this subject, no complete solution has been found in either the theoretical or practical domains. 
Even the general solutions to secure multi-party protocols fail to exhibit all of the desired properties of elections. For 
example, an article by J.C. Benaloh et al, entitled "Receipt-free Secret-ballot Election," in STOC 94, pp. 544-553 (1994) 

10 describes the receipt-free property While these general solutions do have a wide breadth of security properties, and 
some hope of rigorous analysis, they are impractical both in their computational and communication costs. 

A number of more practical voting protocols have been proposed, with widely differing security properties. Schemes 
based on anonymous channels/mixers have become very popular due to their superior efficiency and the arbitrary nature 
of the votes that are allowed. Such schemes are described in an article by 0. Chaum entitled "Untraceable Electronic 

is Mail, Return Address, and Digital Pseudonyms" in Communication of the ACM, ACM, 1981, pp 64 to 88, in an article 
by A. Fujioka et al, entitled "A Practical Secret Voting Scheme for Large Scale Elections." in Advances in Cryptology - 
Auscrypt '92, 1992, pp. 244 to 251 , and in an article by C. Park et al, entitled "All/Nothing Election Scheme and Anon- 
ymous Channel" in Advances in Cryptology, Eurocrypt '93, 1 993, pp. 248 to 259. However, a price is paid for this efficiency. 
The simplest of these schemes does not allow a voter to securely protest the omission of a vote without allowing a 

20 malicious voter to block the election. In all the schemes known to the inventors there is a high round complexity - one 
round for each mixer used to implement the anonymous channel. Also, after the election each voter is typically respon- 
sible for checking that their vote was correctly tallied. There is usually no way for an outside observer to later verify that 
the election was properly performed. 

Another approach is the use of number theoretic techniques without anonymous channels or mixers. The protocol 

25 has desirable security properties, but as discussed below in detail, their communication complexity is quite high for 
realistic scenarios. Such techniques are described in an article by J. Benaloh and M. Yung entitled "Distributing the 
Power of a Government to Enhance the Privacy of Voters" in ACM Symposium on Principles of Distributed Computing, 
1986. pp. 52 to 62, in a Ph.D. thesis by J. Benaloh entitled "Verifiable Secret- Ballot Elections" Ph.D. thesis Yale University 
1987 Yaleu/DCS/TR-561 , and in an article by J. Cohen et al entitled "A Product and Verifiable Cryptographically Secure 

30 Election Scheme", in FOCS85, 1985. pp. 372 to 382. 

The protocol of Benaloh and Yung enjoys most of the desirable security properties obtained in the present invention, 
and is based on partially compatible homomorphisms of the form 

E,<x) = y*-9 r i mocl n ( , 

35 

The technical advances made by the present invention include: 

Greater generality: The encryption used by Benaloh and Yung was tuned to the factoring problem. Each center / had 
the prime factorization of n, as part of its secret information. This secret information complicated the protocol in that the 
voters needed to verify the correctness of the centers' public information and the correctness of their subtallies through 

40 interactive protocols. Also, the present invention can be applied to "discrete-log type" problems. 

Amortization techniques: Unlike most previous work in voting, the present invention considers how to run multiple 
elections more efficiently. Since there are usually many voters and checking each vote involves many subchecks, amor- 
tization techniques call be effectively used to speed up single elections as well. 

Improved zero-knowledge proofs: Direct and efficient protocols show, for example, that x + y is either 1 or - 1 , without 

45 conveying which is the case. These proofs are more efficient than the cryptographic capsule methods used in the prior art. 
Also, the present invention incorporates techniques, such as the Fiat-Shamir heuristic for removing interaction, that 
were not available at the time of Benaloh and Yung. Some of these techniques can also be applied to the original protocol 
(with varying degrees of difficulty and utility). By using more modern techniques the present invention realizes the basic 
approach laid out by Benaloh and Yung, but with greatly improved efficiency. 

so In accordance with the teaching of the present invention, a number-theoretic method for secure electronic voting 
provides a number of features including moderate communication cost, low round complexity, preprocessing potential, 
security, universal verif lability and flexibility, all as described below. 

The idea of secure electronic voting is to enable secret votes to be performed electronically where the votes of 
individual voters are unknown and where the election results are tamper-proof without the collusion of many counting 

55 centers. The present invention relies upon a novel mathematical method to encode votes for verification by breaking up 
the vote into shares which are supplied to different counting centers. Moreover, the ballots can be pre-processed for 
verification, but the ultimate vote decision can be delayed until the time of actual voting. The method used permits 
authentication of multiple ballots efficiently. In addition, the method is readily embodied using currently available PCs or 
workstations and conventional electronic bulletin boards. 



2 



EP0 697 776 A2 



The present invention requires much less communication cost than the previous number-theoretic protocols. For 
one realistic setting of the parameters, it is estimated that present invention conservatively requires less than 1/20th the 
communication of Benaloh-Yung's scheme. Furthermore, when more than one election is to be held, it is possible to 
use an amortization technique that will boost the per-vote advantage to a factor of between 150 and 250. It should be 
5 noted however that the communication complexity of each vote remains much greater than that required by the anony- 
mous channel/mixer-based protocols. However, it is well within the range of feasibility. 

The present method enjoys an extremely low round complexity. Once the system has been set up, a voter can cast 
a vote in an election simply by posting a single message. The counting process comprises each counting center posting 
a single; very short message. 

w Ideally, one would like to do the bulk of the communication and computation in advance of an actual vote. In the 
present method, it is possible to preprocess ones vote with a single message. This preprocessing step does not depend 
on the vote that is eventually cast, and may be done at the time the voter "registers" to vote. When it comes time to 
actually vote, the voter can often simply post a single bit (or a bit along with a small integer in the worst case). Thus 
even with the signatures needed for identification, the communication cost is negligible. Similarly, after preprocessing, 

is a PC acting as a voting center can easily count a hundred incoming votes per second. 

Under reasonable heuristic assumptions, no coalition of voters or centers can unfairly influence an election or sig- 
nificantly delay its outcome. A voter keeps her vote private as long as two of the centers are honest. The two honest 
centers requirement can be reduced to a single honest center requirement by a simple doubling mechanism: each center 
simulates two centers of the original schemes. 

20 While heuristic assumptions are used (such as the Rat-Shamir method for noninteractive proofs) the only attack 
known requires one to compute discrete-logarithms over the group being worked in. Thus, it is possible to use elliptic 
curves for which the discrete-log problem is currently thought to be much harder than factoring. Previous number-the- 
oretic approaches were based on the rth residue problem over Z' n , and are guaranteed breakable if one can factor n. 
Every action by a voter, whether preprocessing a vote or actually voting, is accompanied by a proof that the ballot 

25 is correctly constructed. The output of the counting center may also be easily checked for correctness. Any participant 
can verify that everyone else's vote has been included in the tally. Once a party posts a message, it does not need to 
cooperate in the checking of its work. The checking of the election can be distributed over many parties, and if someone 
is still not satisfied they may check the results themselves. Thus, a voter has the option of minimally participating in an 
election by simply sending in their vote and then ceasing all involvement. 

so The present invention is readily adaptable to different situations. For example, the number of centers can be made 
quite large. Voters may choose their own security/efficiency tradeoff and individually choose how many and which centers 
they use. Thus, it is possible to practically support an election in which there are a 100 centers of which a typical voter 
chooses 10 and is protected as long as two of them are honest. For large elections it is possible to construct hierarchical 
counting schemes. 

35 The present invention provides a new tool: families of partially compatfole homomorphic encryption functions. There 
are well known encryption functions with additive ( E(x + y) = E(x) E(y) ) or multiplicative E{xy) = E(x) E(y)) homomor- 
phisms. These properties can be exploited to make very efficient zero-knowledge proofs, but they can also work against 
security. For example, suppose that one has E{x) and E(y) and wishes to know whether x + y is 1 or -1 . If E is a function 
(as opposed to a probabilistic encryption) with an additive homomorphism then one can compute E(x + y) and check if 

40 itisequalto£(l)orE(-l). 

Benaloh and Yung in their article entitled "Distributing the Power of a Government to Enchance the Privacy of Voters" 
in ACM Symposium on Principles of Distributed Computing, 1986. pages 52 to 62. circumvent this difficulty by using a 
family of probabilistic encryption functions. {E 1( .. .,£„}. Each E, probabilistically encrypts an element xe Z n where ris a 
moderately large prime independent of /. While each satisfies E,<x+ y) = E^xJE^y) , there is no obvious way of 

45 combining E/x) and Efj) to obtain an encryption of some simple function of x and y A key requirement of their technique 
was that the encryptions £/ be probabilistic, a condition weakened in the formalism below. 

The present invention considers a family of additive homomorphic, possfoly deterministic encryption functions, 

{Et Efj. Within this family there is a single group Z q (where pis large) such that E,(x + y) = Ej(x)£,(y) , where x,y 

e Zq. Thus, they are all basically compatible. However, it is required that for all (/,/) the following two distributions are 

so computationally indistinguishable: 

1 . (E£x), E£y)), where x and y are chosen uniformly from and 

2. (E/x), £/*)). where x is chosen uniformly from Z^ 

55 This implies that for any v t (E/x). £/v-x)) is indistinguishable from (E/x). £/y)). 

Thus, if x and y are chosen uniformly such that x + y = v, then knowing (EX*). Ej(y)) does not reveal anything about 
v. Similarly, if x^ x n are chosen uniformly to sum to v, then knowing n - 2 of the values {xj xj reveals nothing about v. 

Such families of called encryption functions with this property partially compatible homomorphic encryption func- 
tions. Reduction of the existence of such families to any well-known algebraic assumption is unknown. However, there 
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are a number of candidates for such a family of encryption functions. For example, let primes p i r = k t q + 1 , where q is 
a prime, let g- t be a randomly (or pseudorandomty) chosen generator for 



and let 



10 

If E t {x) = a* then there is no way of obtaining any information about Xj + x 2 given Ei(xi) and E^xo) without computing 
discrete logarithms. The only weakness of the method is that if p^ = p 2 and l is such that a 2 = a 1 is known, then one 
can compute E^{x^ + x 2 )* = E 1 (x 1 ) / E 2 (x 2 ) , which allows one to determine if Xj + x 2 is equal to a given number. No 
such attack is known when p 1 * p 2 . 

is It is also possible to incorporate encryption functions based on elliptic curses or other groups. Furthermore, it is 
possible to mix arbitrarily which types of groups are used. For ease of description, multiplicative notation for the cyclic 
group generated by a, will he used, regardless if the group is normally treated as multiplicative or additive. 

Using these families of partially compatible homomorphic encryption functions, very efficient interactive proofs for 
assertions are constructed such as: 

20 x 1 +--- + x n =a+6, given the encryptions for these values, and 
x + y e {1,-1}, given the encryptions for xand y 

Because of the efficiency of these proofs, it can be run many times, and used with the heuristic of Fiat-Shamir 
described in an article entitled "How to Prove Yourself: Practical solution to identification and signature problems" in 
Advances in Cryptology- Crypto '86, Springer- Verlag, 1986, pp. 186 to 199 to make them noninteractive. 

25 The improved proof methods bring the complexity of the number-theoretic techniques to the point where they can 
be used by a personal computer (PC) that can post messages to a bulletin board as will be described below. However, 
when very strong confidence parameters are used (2" 40 or even 2~6o error rates are recommended when using the 
Fiat-Shamir heuristic) and the voter is allowed to protect the vote by using many (e.g.. 10) of the available centers, the 
costs are at the outer margin of usability. Hence, the invention develops methods for making these burdens easier to bear. 

30 By allowing nearly all of the work to be done in advance of any election, the computational and communication 
burden can be amortized over a much larger period of time and still result in having very fast elections. To tower the 
computational burden of a proof, table lookup techniques are used to reduce the number of group operations required. 
Finally, a voter can process many votes using much less communication and computation than would be required to 
process the votes individually. 

35 The use of amortization in cryptography is not new. Kurosawa and Tsujii in an article erttitlted "Multi-language Zero 
Language Interactive Proof Systems" in Advances in Cryptology-Crypto '90 (1991) pp. 339 to 352, construct a zero- 
knowledge proof for two assertions that is more efficient than simply concatenating the zero-knowledge proofs for each 
assertion. Boyar, Brassard and Peralta in an article entitled "Subquadratic Zero-Knowledge" in FOCS 91 (1991) pages 
69 to 78, and Kilian in an article entitled "A Note on Efficient Zero-knowledge Proofs and Arguments" in STOC92 (1 992) 

40 pages 722 to 732, consider the problem of achieving ultra-high confidence zero-knowledge proofs for NP using less 
communication than is required by simple sequential repetition. Franklin and Yung in an article entitled "Communication 
Complexity of Secure Computation" in STOC92 (1992) pages 699 to 710, show how to implement k instances of a 
secure multi-party computation much less expensively than k times the cost of a single secure computation. 

The present invention therefore provides a method and apparatus for secure electronic voting using partially com- 

45 patible homomorphisms which is more efficient than the heretofore known methods. 

The invention will be more clearly understood when the following description is read in conjunction with the accom- 
panying drawing. 

Figure 1 is an algorithm useful for proving the validity for shares; 
so Figure 2 is an algorithm useful for proving summation assertions; 

Figure 3 is an algorithm of the electronic scheme comprising the present invention; 

Figure 4 is a schematic illustration of a preferred embodiment for practicing the invention; 

Figure 5 is a schematic illustration of a vote constructor; 

Figure 6 is a schematic illustration of a vote inverter; 
55 Figure 7 is a schematic illustration of a ballot checker; 

Figure 8 is a schematic illustration of a multiple-vote constructor; 

Figure 9 is a schematic illustration of a multiple-vote ballot checker; and 

Figure 10 illustrates the voting process in Figure 3. 
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The basic voting scheme comprising the present invention will now be described For simplicity, assume that there 
are only two centers counting the votes, and that a single yes/no vote is being held. It will be apparent to those skilled 
in the art that the invention is applicable to situations with many, tor example tens, vote counting centers. The basic 
method does not protect privacy of a vote against the center. This problem will he overcome as described below when 
5 more than two centers are involved. 

The two centers are denoted by C| and Each vote v will be broken into shares x\ and x 2 , where x, is a member 
of and q is a prime. Before being posted, each share x, is encrypted using encryption function £,, where {Ei, £2} 
form a family of partially compatible homomorphic encryption functions. 

As part of the setup process, which need only be done once for all time, the parties agree on {E 1( E$. Note that 
10 with implementations based on discrete-log functions, there is no trapdoor information that need be kept hidden. Thus, 
for example, a few bits frown some global source can be fed into a pseudorandom bit generator and these random bits 
could be used to choose the moduli and generators needed to specify the desired functions. Heuristically, anyone can 
provide the seed to the pseudorandom generator, and it is unlikely that the seed will make the output a weak set of 
functions. 

15 Along with setting up the family of encryption functions, assume that basic primitives such as public-key cryptography 
and secure bit-string commitment have already been established. Let H(x) denote a possibly probabilistic hash function 
that commits the sender to x without giving away any useful information about x. 

The basic election procedure is performed in three stages: vote preparation, vote casting and vote counting. 
Each voter /chooses a vote v h 1 for a yes-vote and -1 for a no-vote. The voter uniformly generates x n> and x (2) 
20 such that 



25 



The voter then posts 



xj 1) + x| 2) = v ; mod q. 



m x (,) 
E 1 (x< 1 »)=a 1 X ' 



and 

30 E 2 (xl 2) )=af 

and proves x \ %) + xf } e {1 ,-1 } without disclosing x° \x ,2) nor v h 

Each voter / encrypts x 1 1 * and x* 2> using the public keys of C1 and C 2 respectively. Each center ycomputes E/x*° )and 
checks that it agrees with the previously posted value. 
35 Each center j sums up xf modulo q for all voters / and posts sub-tally. t r Each voter verifies that 

j 

and computes T = t A + r 2 , which is equal to the number of "yes" votes minus the number of "no" votes. 
40 Referring to Figure 1 there is shown a simple algorithm, referred to as prove±l , for proving validity of shares, namely 
that x 1 + x 2 e {1 ,-1} mod q given Ei(Xi) and E^xJ. The algorithm is a method by which a verifier proves that when 
the halves of the votes are combined, the result is a well-formed vote. No information regarding the actual vote is revealed 
by the method. 

Each execution of the algorithm in Figure 1 will catch a cheating prover with probability Note that the distribution 
45 of ( V1, Yi) is easy to simulate given (E^), E^xz)). Indeed, if R is a perfect zero-knowledge bit commitment then the 
algorithm is perfect zero-knowledge. Also note that a conceptually more simple algorithm would have the prover reveal 
s(x 2 - r) in Step 2b. The selected algorithm was chosen for its reduced communication complexity. Both s and / could 
also be eliminated by having the verifier check both possibilities, but this would save only 2 bits. 

While this algorithm is given in terms of a verifier, a more round efficient solution is to use the Fiat-Shamir method 
so of eliminating interaction. First, the protocol is run many times (on the order of 40 or 60) in order to make the probability 
of withstanding all of the challenges vanishingly small. Then the verifier is replaced by a suitably "random looking" hash 
function which generates the challenges from the prover's posting in Step 1 of the protocol. If the prover is trying to prove 
an incorrect statement, then heuristically the prover's only strategy is to run different postings through the hash function 
until finding one whose challenges the prover can meet. However, the cost of this attack is prohibitive if the error probability 
55 is truly small (2~40 0 r 2~6°). 

In the basic method described above, there were only two centers and a single yes-no vote. Hpwever, in more 
practical scenarios a voter will want to divide the vote among as many centers as possible - the more centers the more 
private the vote. Also, a voter is likely to participate in many elections and a given election is likely to have many yes/no 
votes. For example, Benaloh supra points out that approval voting (where a voter may cast a vote for any number of the 
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given candidates) is really just a case of several independent yes/no votes. The following describes bow to split many 
votes over many centers with substantial amortized savings compared with preparing each vote separately. 

For simplicity, assume that there are only n centers and that each voter will split their votes over all n centers. For 
each center / there is an encryption function E, from this family. Following the basic scheme, the voter breaks the vote 

5 v e {1 ,-1} into shares ^ such that v = X (1) + ... + X tn) , and then proves that these shares are correctly con- 
structed. The most straightforward solution is to adapt the algorithm prove±1 shown in Figure 1 to handle more than two 
shares. Instead, the proof is broken into two stages. First, the prover randomly generates a, b such that v = a + b and 
proves that X (1) + ... + X (n) = A + B . Then, the algorthim prove+1 in Figure 1 is used to prove that v = a + b . This 
provides an opportunity to handle multiple votes efficiently as described below. 

10 Figure 2 is an algorithm, referred to as prove-sum, for reducing a sum of n encrypted shares to a sum of two shares. 
The voter has broken the vote into many encrypted shares and also split the vote into two encrypted halves. The prove- 
sum algorithm is a method by which a verifier proves that the many shares combine to give the same value as the two 
halves. No information regarding the actual vote is revealed by the method. The algorithm prove-sum is used in con- 
junction with the algorithm prove±1 to efficiently show that vote which has been broken into many shares can be combined 

is into a well -formed vote. 

Assume that the encryptions E£)6 l \ E^A) and E^(B) are known, and that 

(E, E n .Ea.E b ) 

20 is a family of partially compatible homomorphic encryptions with domain If the summation assertion is not true, then 
in each iteration of the protocol the prover will fail a check with probability at least As before, this error rate is lowered 
to a very small value by repeated repetition, and then the Fiat-Shamir heuristic is used to make the proof noninteractive. 

The bulk of computation and communication required for the full n-party scheme is taken up by the proof of the 
reduction to the 2-share sum. By combining many of these proofs into a single proof, the voter can efficiently prepare 
25 many "yes/no" ballots at once with significant savings in the amortized computation and communication required. 
Suppose that the voter wants to prove that the following equations hold. 



30 



35 



40 



45 



50 



A l T -A, H + X\ = + B x 

X<» + X<*> + ... + *<,«> = A m + Bm 



and the values of E/X 7 W ), E a (Aj) and E b (Bj) are known for1s/s/j and 1 ^ j$ m. Let coefficients Ci c m € Z q be 

chosen at random, and consider the following linear equation: 



X~W + X~W + XW = A + B, (1) 



where 



(»■) 



m 

A = £cy4 ; and 

7=1 

m 

55 B«£c y B, 

7=1 

By a simple probability argument, the following facts hold: 

1 . If all of the original linear equations were true, then the new linear equation will also be true, and 
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2. If at least one of the original linear equations is false, then the new linear equation will be false with probability 1 
-1/q. 

Thus, a prool of the new equation will suffice as a proof of all of the original equations. 
5 It remains to show how to generate the encryptions for the new variables and how to choose the coefficients. The 
encryptions are given by 

10 J=l 

m 

E B (A). ]"[ and 

15 m 

One can view the c, coefficients as challenges. As before, the Fiat-Shamir scheme is used to generate the value c, 
20 by a hash function of the original encryptions. Note that in this case, it is not necessary to perform the operation multiple 
times, since for a random setting of the coefficients an error in the original set of equations will result in an error in the 
final equation with all but vanishing probability. Indeed, for computational efficiency it suffices to choose c, from {1 ,...,260}, 
which will greatly speed up the exponentiations. 

Figure 3 is an algorithm of the election method comprising the present invention as descrfoed above for the case 
25 of m votes distributed over n centers. In the precomputation stage, randomly generated votes are broken into encrypted 
shares. In the vote-casting stage, the voters specify whether the random vote should be counted as given or be inverted, 
i.e. changed from a yes (1) to a no (-1) or vice-versa. In the vote counting stage, the voting centers count their shares 
of the vote and post the subtallies. The subtallies do not provide any information for any subset of the voters. The 
subtallies are then combined together to determine the final vote. At each step of the algorithm, information is provided 
30 to allow voters and (possibly future) outside observers to verify the correctness of each step. 

An estimate of the communication cost of the present invention will be calculated. While it will be apparent to those 
skilled in the art that there are many possible variations of the present invention, a good understanding of their complexity 
can be had by analyzing the cost of splitting a vote into encrypted shares and proving that the shares are well formed. 
A number of security parameters are involved in this analysis. First, assume that the encryption functions are based 
35 on modular exponentiation over 



40 and let k be an upper bound on the length of p, (if different moduli are used, then they will not be exactly the same size). 
Let h be the output of the hash function H used for commitments and let /be the security parameter that effectively 
denotes how many times the proofs are run. 

Consider the most general case of splitting m votes to n centers. Note that for m large, a higher amortized efficiency 
is achieved due to the method used. Not counting the cost of the proof, representing these pieces along with the additional 

45 2 shares used in the reduction requires (n + 2)km bits. The cost of proving the correctness of the combined equation 
[2(n + 2)k + (n + 1)h]/ bits. At this point, the voter has proved that each set of n shares representing a vote is equal to 
the two auxiliary shares. The proof that the two auxiliary shares sum to 1 or -1 costs [3k + h]lm bits. The cost of revealing 
these shares to the proper counting authorities is approximately nkm bits. Altogether, this gives a total of 
2(n + 1)mk + [{2n + 2)k + (n + 1)/? + (Zk + h)m]l bits. Some of the resulting numbers are shown in Table 1. If "center 

so doubting" is used so as to require only one good center instead of two, then the costs are all doubled. 
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1 vote, / = 40 


1 vote, / = 20 


100 votes, / = 40 


Proposed Scheme 

Benaloh & Yung 
(1000 voters) 


56K bytes 
2.5 min. 
4M bytes 
11 mil) 


28K bytes 
1.5 miu 

1M bytes 
3 min 


1M bytes 
58 min. 
400M bytes 
19 hrs 



10 

All with n = 10 centers. 



Table 1 

15 

An approximate estimate computation cost for the voters is described below. In accordance with the invention, the 
costly computations are mainly modular multiplication and modular exponentiation. Note that many modular exponen- 
tiations with the same base are being performed. This fact can be exploited by computing lookup tables that will reduce 
the number of multiplications required by the exponentiations. For example, it is possible to precompute a [ for all /s that 
20 are powers of 2. This will reduce the average number of multiplications needed to compute <x x mod p from | k to Vfc/c, 
requiring a table size of (n + 2)/c? bits. Using a more sophisticated table can result in further factor of 3 for the typical 
number ranges. 

Again consider the case of splitting m votes into nshares each. Splitting m votes to mn pieces requires tt(n+2)km 
multiplications. A total of Vfc(n + 2)kl multiplications are needed for proving the reduction to the the reduced 2-share 
25 representation of a vote. A product of kirn multiplications are needed to complete the proof that the votes are well formed. 
Verifying the subtallies of each center requires (*Ak + [# of voters])nm modular multiplications. 

Altogether, the method requires approximately 

g[(2n + 2 + 2/)m + (n + 2)/|/c+ [# of voters] nm 

30 

modular multiplications. A PC running at 33MHz can executes 768 multiplications in a second. Based on this, some of 
the resulting numbers are shown in Table 1 . 

Note that these figures are only approximate. However, the cost of the other modular addition or such operations 
as computing hash functions is comparatively negligible. 

35 An approximate estimate of the computation cost needed for verification will now be described. Again, k is the length 
of p, and / is a security parameter which determines maximum probability of cheating. The value c is the length of 
coefficients used in the method which can be set small. Also, modular exponentiation can exploit the previously men- 
tioned table lookup techniques. 

Consider the case of splitting m votes into n shares each. The total !/£(n + 2)|c|(m - 1) multiplications are needed 

40 for generating the encryption of the shares, including their representation. The total V£(n + 2)(/c+ 1)/ multiplications are 
needed to verify that the combined equation is correct. The total {k + 1 ) Im multiplications are needed to complete the 
proofs that the shares are well formed. Altogether, this yields V£[((n + 2)|c| + 2/(/c - 1))m + {n + 2)(kl • l-\c\)] modular 
multiplications for each voter. 

This number can be reduced by using techniques for verifying many modular exponentiations, resulting in a factor 

45 of 4 improvement over actually computing the exponentiations. 

The work of Benaloh and Yung gave the first scheme where votes are divided into pieces and the verifiable subtally 
yields total outcome of voting. However, their scheme suffers from large communication complexity and seems not yet 
practical for implementation on existing networks. One of the reasons they need targe communication complexity is that 
each centers / generate secret prime factors of their public key A/,. Therefore the scheme involves an interactive protocol 

so to detect possible cheating at the setting of the public keys, together with an interactive protocol to show detected cheat 
was not due to a maticious voter. Also, since extra information of subtally may reveal these secret primes, an interactive 
protocol was necessary to prove the correctness of subtally. For the above reasons, their protocol needed 
(4/ 2 + 5/ + 2)kn bits for communication, where k is the size of the public keys of the n centers, and / is a security 
parameter. 

55 The computation complexity is rather small for each iteration of their scheme, since the computation is based on 
yV mod n where e and rare much smaller than n. However, since this interactive proof takes place many times, the 
total cost does not remain so small. An estimate their total computation assuming that they use the same step of con- 
structing a table of /mod n y that requires nrkbits. Then, there will be 3(/ 2 +3/+ 1)lg rn + 2(/ 2 + / + 1)n + [#of voters]n 
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n bit modular multiplication in total, where k is the size of public keys of the n centers, r determines number of voters 
and /is a security parameter An approximate numerical comparison is shown in Table 1. 

Having described the method of practicing the present invention, preferred embodiments useful for practicing the 
invention will now be described. 

5 Figure 4 schematically illustrates a preferred embodiment for practicing the invention. The voters and vote counters 
use personal computers or workstations 10 connected to a conventional electronic bulletin board 12. Aft parties (voters, 
verifiers, counters and the like) to the voting process interact by posting messages to and sending messages from the 
bulletin board. Voters can also serve as vote counters. The personal computers either contain software to perform the 
method described above or alternatively contain in hardware or software embodiments of the elements described in 

10 Figures 5 to 9. 

Figure 5 illustrates a vote constructor. The vote constructor 14 generates shares 18 and encrypts the shares 20 for 
the vote from yes/no vote selection 16 using partially homomorphic encryption functions as described above. The vote 
constructor also encrypts the shares with the public key of the respective center C, that will process the share. The vote 
constructor also produces a ballot authentication certificate by which anyone can verify that the encrypted shares corn- 
is bine to make a well-formed vote. The encrypted shares 20 and the certificate 22 are posted to the electronic bulletin 
board 12. The arrows to centers C, merely specify who is able to decrypt the globally posted information. 

Figure 6 schematically illustrates a vote inverter for converting "yes" votes to "no" votes and "no" votes to "yes" 
votes. Given a set of encrypted shares 20, inverter 24 produces a set of encrypted shares 26 for the inverted vote 
(indicated with the prime), likewise, given all unencrypted share 28, inverter 24 will produce all inverted unencrypted 
20 share 30. During the actual voting, the voter specifies whether the previously constructed vote should be inverted before 
counting or be counted as is. A counter must conform to the specification of the voter or be detected as not conforming 
to the voter specification by anyone who checks the vote. The inverter enables the preprocessing of a vote, perhaps at 
the time of registration, and then allows subsequent voting by either confirming the preprocessed vote or inverting the 
preprocessed vote. This system enables more efficient voting. 
25 Figure 7 schematically illustrates a ballot checker. The ballot checker 32 receives a set of encrypted shares 20 and 
the ballot authenticate certificate 22 and determines whether the encrypted shares can be combined to form a well- 
formed vote, thus indicating a valid or invalid vote. 

Figure 8 schematically illustrates a multiple-vote constructor. In this case, a multiple yes/no vote selector 40 provides 
votes to a multiple vote constructor 42. The multiple vote constructor forms shares for each vote and encrypts the shares. 
30 Each encrypted vote is in the form of a ballot 44. A single multiple ballot authentication certificate 46 is provided for 
constructing all of the multiple votes. 

Figure 9 schematically illustrates a multiple-vote ballot checker. A multiple ballot checker 48 checks a set of votes 
that were produced by the multiple vote constructor shown in Figure 8. The checker 48 checks that a set of votes were 
produced by the multiple-vote constructor using the encrypted shares 44 and the single multiple ballot authentication 
35 certificate 46. As descrbed in conjunction with the ballot checker in Figure 7. the checker 48 determines whether the 
shares can be combined to form well-formed votes, thus indicating a valid or invalid vote. 

Figure 10 graphically illustrates the voting process described in Figure 3. Voter V cast votes "yes" or "no" as shown. 
The votes are broken into shares, encrypted and split among many centers C. The votes are checked with the certificates 
to provide proof that the votes were properly encrypted and distributed. The votes and centers verify the election. The 
40 centers combine their respective shares to form subtallies which are then combined together to yield the final election 
result. 

Claims 

45 1 . A method of secure electronic voting with a plurality of voting means and a plurality of vote counting means using 
partially compatible homomorphisms comprising the steps of: 

(a) choosing a randomly selected family of partially compattole encryption functions E a , E b {EJ , for voting means 

V lf V2, .... V n and vote counting means C 1f C 2 C n which functions are posted; 

so (b) each voting means V k randomly choosing masking votes, v K j e {1,-1} and then randomly choosing two 

representations for 

V kj : v kj = X kj + X k] + ... + X ( k j = A ,g + B h j 

55 and posting Ej(X^ ). E^A^ and E b (Bkj); 
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(c) reducing the equations in step (b) to 

A k A k "* A k k V 

5 

(d) proving the validity of the equation in step (c) by using prove-sum algorithm; 

(e) executing algorithm prove±1 , and 

(f) encrypting X*". using C/s public encryption algorithm for all j and i and posting the encryptions. 

10 2. A method of secure electronic voting as set forth in claim 1, where steps (c). (d) and (e) result in generating an 
authentication certificate. 

3. A method of secure electronic voting as set forth in claim 2, where said generating comprises applying the Fiat- 
Shamir method. 

15 

4. A method as set forth in any of claims 1 to 3, further comprising the steps of: 

(g) voting means k in order to use vote j, computing Skj e {-1,1} such that an actual vote is equal to Sk jV k j, and 
posting r 



20 



5. A method as set forth in any of claims 1 to 4, further comprising the steps of: 

(h) each vote counting means Q decrypting x£ } for all kand j, and verifying whether it is consistent with Ei (X k ° ) ; 

(i) each vote counting means Cj calculating subtally 1 



25 



and posting t^, and 
(j) verifying that 



30 



t ^ = £ k S k " X jg 



n k (Ei(x k (i) )) s 



is equal to E.(t^). 

35 6. A method of secure electronic voting as set forth in claim 4 or 5, further comprising the step of posting j. 

7. A method as set forth in claim 5 or 6, further comprising the step of combining said subtallies. 

8. A method of secure electronic voting with a plurality of voting means and a plurality of vote counting means using 
40 partially compatible homomorphisms comprising the steps of: 

(a) choosing a randomly selected family of partially compatible encryption functions E a , E b {E J, for voting means 
V-i, Va V n and vote counting means Ci, C2 C n which functions are posted; 

(b) each voting means V k randomly choosing a masking vote, v k j € {1,-1} and then randomly choosing two 
45 representations for 

v Kj* v kj- A kj +A kj + - + A kj - M kj + B k,j' 

(c) voting means k in order to use vote j, computing j e {-1,1} such that an actual vote is equal to s* jv k j, and 
so posting s^, and 

(d) each vote counting means Cj calculating subtally 

t ^ = L k s k • X k j 

55 and posting t®. 

9. An apparatus for secure electronic voting using partially compatible homomorphisms comprising: 

a plurality of voting means and a plurality of vote counting means, each having a randomly selected family 
of partially compatible encryption functions, E a , E b {EJ which are posted on a publicly accessible media; 
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each voting means randomly choosing masking votes. v k j e {1,-1} and randomly choosing two representa- 
tions for 

VKj:v kj = X ( k 1 ] + X«} + ... + X ( k n ] =A kj + B kj 

and posting Ei(X (,} ), E a (A|<j) and E b (B k j) on said publicly accessible media; 
means for reducing the equations for v k j to the form 



X 0> + Xk (2) + ... +x ln) =A - k + 5k; 

means for proving the validity of v k j using prove-sum algorithm; 
means for executing algorithm prove±1 ; and 

means for encrypting X using said partial encryption function for all j and i and posting the encryptions on 
said publicly accessible media. 

10. An apparatus for secure electronic voting as set forth in claim 9, further comprising: 

means for computing s* j e {1 ,-1} such that an actual vote is equal to Sj< jV k j and posting Skj on said publicly 
accessible media where k is one of said plurality of voting means and j is a vote. 

1 1. An apparatus for secure electronic voting as set forth in claim 10, further comprising; 

means associated with each of said vote counting means for decrypting Xj^ for all k and j, and verifying 
whether it is consistent with Ei(X* l} ) ; 

means associated with each of said vote counting means for calculating a subtally 

t^ = Z k S k • X|g 

and posting t^ on said publicly accessible media; and 
means for verifying that 



n k (Ei(x^)) Sk 



is equal to Ej(t (i) ). 



12. An apparatus for secure electronic voting as set forth in claim 10 or 1 1, further comprising means for posting j on 
said publicly accessible media. 

13. An apparatus for secure electronic voting using partially compatible homomorphisms comprising: 

a plurality of voting means and a plurality of vote counting means, each having a randomly selected family 
of partially compatible encryption functions E a , E b {EJ which are posted on a publicly accessible media; 

each voting means randomly choosing a masking vote, v k j € {1 ,-1} and randomly choosing two representa- 
tions for 

v kj- V kj = X kj +X k.j + - +X kj - A kj + B kj 

and posting ErfX* 0 ), EgfAkj) EbfBkj) on said publicly accessible media; 

means for computing s* j e {-1,1} such that an actual vote is equal to s k jv k j, and posting ^ on said publicly 
accessible media, where k is one of said plurality of voting means and j is a vote; 

means associated with each of said vote counting means for decrypting x£°. for all k and j, and verifying 
whether it is consistent with Ei(X^) ; 

means associated with each of said vote counting means for calculating a subtally 

t^ = I K S h ' X{g 

and posting t (,) on said publicly accessible media; and 

means for combining said subtallies for determining the outcome of said voting. 
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1 4. An apparatus as set forth in any of claims 9 to 13, where said vote counting means and said voting means comprise 
a personal computer and said publicly accessible media comprises an electronic bulletin board. 

1 5. An apparatus as set forth in any of claims 9 to 14. further comprising means for generating an authentication cer- 
5 trficata 

16. An apparatus as set forth in any of claims 9 to 15. where said means for generating includes means for applying 
the Fiat-Shamir method. 

10 
15 
20 
25 
30 
35 
40 
45 
50 
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prove±l(ii ( i2) /* Given Ei(x\), E^x-j), prove that 
*i + € {i,-l}uiod? */ 

1. The prover uniformly chooses r € Z q and $ 6 {1,-1}, and computes 
R = fl(r), the secure commitment for r. The prover then computes 

Y x = £,(5(x, + r)) = (£,(*, )£i(0) j and 
= ft Wx a - r)) = (ft(xa)ft(r)- 1 ) ' , 

and posts {Y\ y Yx, R). 
2a. With probability the verifier asks the prover to reveal r and 5. The 
verifier checks that r is consistent with R and that the above identities 
for Y x and Y 2 hold. 

2b. With probability the verifier asks the prover to reveal s(xx + r) and 
t = s(z\ + r) + ${x 2 - r) € {1,-1}. The verifier then checks that Yi = 
(£i(xi)£i(r)) J and that Y 2 = ft(* - + r)). 



Figure 1 
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prove-sum(X( , >,...,^< n ',/l,B) 

/* Given E l (X^) t ...,E n (X^) > E a (A),E i (B), prove that *0> + A< 2 > + 
— XW = A + B */ 

1. For 0 < & < u the prover unifornily chooses r,- 6 Z a . The prover computes 
the commitment /Z, = /?(r.) and computes Ki , . . - , K u , K a , Yt by 

y; = + n) for 1 < t < n, 

Y a = £„(>! + r 0 ) and 

* = ^gr.j -r 0 ). 

The prover posts A,, and Yi , . . . , Y„, Y a , Y4. 

2a. With probability \, the verifier challenges the prover to reveal tq, ...,r„. 
The verifier checks that 

Ri = H{r;) for 1 < t < n, 

Yi = £,<Jf Wj^f,-) for 1 < % < n, 

Y a = E a (A)E a (r 0 ), and 

n = £*(5)£ 4 ^-ro + fjr^. 

2b. With probability ^ the verifier challenges the prover to reveal {A + 

ro),(B -ro + r,-) and (JfM + r;) for 1 < t < n. The verifier checks 
that 

Y, = Ei(XM + ri) for 1 < i< n, 
Y a = E a (A + r 0 ) = oi A +") and 

Finally, the verifier checks that 

£ (A'(«) + r k ) = (A + r 0 ) + (b - r 0 + ][>,■) . 



Figure 2 
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in votes n centers Election Scheme 

Precomputation (In the following description, t ranges over 1, . . .,«, j ranges 
over I, . . 7/i, and k ranges over the indices of all valid voters V k .) 

1 . The vote counters, C\ , C 2) • • ■ , C„ agree on a randomly selected family of 
partially compatible encryption functions, £ rt ,£6i{£t} and post them. 

2. Each voter V k randomly chooses a "masking vote" v k j € {1,-1} and 
then randomly chooses two representations for v k j. 

The verifier posts Ea(Akj) and E b (B k j). 

3. Vfc executes the reduction described in conjunction with eq. (1) and ob- 
tains a single equation 

equality of which implies that the given two representations of masking 
vote Vkj are equal for all j. V k then proves the validity of the equation 
using prove- sum. 

4. V h executes protocol proveil to show that A k j + B k j € {1,-1} for all 

h 

5. V k encrypts X k j using CVs public encryption algorithm, for all j and i y 
and posts the encryptions. 

Vote Casting 

1. To use the jth vote, voter k computes $ k j € {-1,1} such that his actual 
vote is equal to s k jv k j, and posts j and s k j. Note that often j is known 
and thus need not be sent. Assume that the correct j for each voter is 
known, and henceforth drop j from the notation. 

Vote Counting 

1. Each center C\ decrypts x[! ] for all k and j\ and verifies whether it is 
consistent with £,( A'J.'*). The center calculates the subtaUy t< ,} = £ t - 
X[ t] and posts 

2. Each person checking the vote verifies that n^^A^ 0 )) 51 is equal to 
Ei{t {i) ). If so, they accept as the tally of the vote. 

If precomputation is not used, then v k can be used as the actual vote and 
s k is omitted. 



Figim* 3 . 
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(54) Method and apparatus for secure electronic voting 



(57) A number-theoretic based algorithm provides 
for secure electronic voting. A voter may cast a votes 
among n centers in a manner which prevents fraud and 
authenticates the votes. Preprocessing allows for nearly 
all of the communication and computation to be per- 
formed before any voting takes place. Each center can 
verify that each vote has been properly counted. The 
algorithm is based on families of homomorphic encryp- 
tions which have a partial compatibility property. The 
invention can be realized by current-generation PCs 
with access to an electronic bulletin board. 
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